GCP Security Command Center: New Detection Suite for Cloud Misconfigurations

What Changed

Added comprehensive detection coverage for Google Cloud Platform Security Command Center findings, including 5 new Analytic Rules and 5 Hunting Queries targeting critical GCP security misconfigurations.

Analytic Rules (5 added)

New detection rules target common GCP security gaps:

• GCP API Key APIs Unrestricted: Detects API keys without API restrictions
• GCP API Key Exists: Identifies projects with API keys (inherent security risk)
• GCP DNSSEC Disabled: Flags domains without DNSSEC protection
• GCP Firewall High Risk Open Ports: Detects open firewall rules on risky ports
• GCP Logging Disabled: Identifies resources with disabled audit logging

All rules query the GoogleCloudSCC table and provide entity mapping for CloudApplication resources with custom alert details including project information and finding counts.

Hunting Queries (5 added)

Proactive hunting capabilities for GCP environments:

• GCP Admin Service Account Detection: Identifies service accounts with elevated privileges
• GCP Compute Secure Boot Disabled Detection: Finds VMs without secure boot
• GCP Full API Access Detection: Locates instances with unrestricted API scope
• GCP Public Buckets: Surfaces Cloud Storage buckets with public ACLs
• GCP User Managed Service Account Key Detection: Finds long-lived service account keys

Security Impact (Visibility & Fidelity)

This Solution closes significant detection gaps for GCP environments by monitoring Security Command Center findings. Organizations can now detect:

• API key misconfigurations that enable unauthorized access
• Disabled security features (DNSSEC, logging, secure boot)
• Over-privileged service accounts and risky IAM bindings
• Public cloud storage exposures
• Network security policy violations

Affected Files

Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPAPIKeyApisUnrestricted.yaml
Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPAPIKeyExists.yaml
Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPDNSSECDisabled.yaml
Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPFirewallHighRiskOpenPorts.yaml
Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPLoggingDisabled.yaml
Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPAdminServiceAccountDetection.yaml
Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPComputeSecureBootDisabledDetection.yaml
Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPFullAPIAccessDetection.yaml
Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPPublicBuckets.yaml
Solutions/Google Cloud Platform Security Command Center/Hunting Queries/GCPUserManagedServiceAccountKeyDetection.yaml
(packaging artefacts: createUiDefinition.json, mainTemplate.json, Solution_*.json, ReleaseNotes.md)